Thomas, fully agree. :) Rayson Ho, even with containers, distro packages are preferable. Its really difficult at the moment to ensure your containers don't have security vulnerabilities backed into them. None of the docker repo's I've seen really help you with automating this. The only trick I've found is to setup a jenkins server that tests a 'docker run -it --rm containername [apt-get upgrade -y || yum upgrade -y] periodically, check the results to see if it does anything, and if it does, force a rebuild of the container using the native tools. And then ensure you either get notified or have some kind of orchestration system that notices the new containers and does the right rolling upgrades for you.
This process gets much more complicated if your using, random language provided tool on top of the distro provided tools as there are increasing numbers of sources to check. Thanks, Kevin ________________________________________ From: Thomas Goirand [z...@debian.org] Sent: Tuesday, May 10, 2016 5:01 PM To: OpenStack Development Mailing List (not for usage questions) Subject: Re: [openstack-dev] [tc] supporting Go On 05/10/2016 04:19 PM, Rayson Ho wrote: > I mentioned in earlier replies but I may as well mention it again: a > package manager gives you no advantage in a language toolchain like Go Oh... You mean just like in Python where we have pip, Perl where we have CPAN, PHP where we have PEAR, or JavaScript where we have gulp/npm/grunt/you-name-it? Each and every language think it's "special" and that no distro should be involved. Of course, the reality is different. > IMO, the best use case of not using a package manager is when deploying > into containers > -- would you prefer to just drop a static binary of your > Go code, or you would rather install "apt-get" into a container image, For anything serious, the later, of course! The former is only for hackers, calling themselves devs, who don't know about opts, playing and thinking they're the cool guys. This fashion of "we're in a container, so it's ok to do everything dirty" will soon be regarded by everyone as one big mistake. If you're using containers the wrong way, you loose: 1/ Version accountability 2/ Security audit 3/ Build reproducibility Installing from $language manager instead of distro packages, be it in containers or not, will almost always make you download random blobs from the Internet, which are of course changing over time without any notice, loosing the above 3 important features. Cheers, Thomas Goirand (zigo) __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
